Traditionally, Information about the vulnerabilities and security updates (a.k.a Security Patches) had been published on the Microsoft Security Bulletin website. We have been asked for better access to security update information, as well as easier ways to customize their view to serve a diverse set of needs.
Now, Microsoft released a new destination for security vulnerability information, the Security Update Guide.
What is the Security Update Guide?
Security Update Guide is a new single destination for security vulnerability and security update information. In addition to providing the rich detail of traditional security bulletins, the new Security Update Guide will add support for new information, and new methods of browsing this information.
Support for Filtering and Sorting
On the Security Update Guide dashboard page, you can see the release notes associated with the monthly security release. Also, you can filter and sort by product or date range and searching for updates by CVE or KB Number.
You also can drill into each vulnerability. There are links to the KB article, the packages, and CVE details pages.
A new RESTful API
When you click the “DEVELOPER” tab, you’ll sign-in and be given the ability to create a API key and view code samples & API descriptions for programmatically pulling data from Microsoft, in the industry-standard CVRF format.
More information is also available at Security Update Guide project on GitHub.
Example: Generating a HTML Document of Monthly Updates
As an example of PowerShell scripts, let me show you how to generate the summary of monthly security updates by using PowerShell.
- Navigate to the Security Update Guide, Developer tab and sign in with your Microsoft Account to generate an API Key.
Copy the Key into an easily accessible location for copying into Clipboard for use in a moment.
e.g. A quick text file created in Notepad saved to the Desktop
- Access the GitHub sample codes page and copy the sample script.
- Edit the script to enter your API key in the following line:
Set-MSRCApiKey -ApiKey "<your API key>" -Verbose
- Edit the script to enter the month of interest in the following line. If it is 2017 April. It will be 2017-Apr
$monthOfInterest = '<year-month>'
- Run the script. In this sample script, the HTML document of Monthly Updates will be generated at c:\temp\MSRCAprilSecurityUpdates.html
Note: Run the Script for the first time
You will momentarily be prompted to install the GitHub NuGet Library as below, please Press “Y” then Enter. Note this prompt will only appear the first time you run the script.
Note: Please see LICENCE here for term of use.
Where is the Bulletin Number (MSxx-xxx)?
With the launch of the Security Update Guide, the way Microsoft documents vulnerability and security updates has been changed. This old form of security update documentation, including bulletin ID numbers is being retired. The new model for documenting security updates is the Security Update Guide.
Instead of bulletin IDs, the new Security Update guide pivots on vulnerability ID numbers and KB Article ID numbers. There is no context for bulletin ID numbers in the new model, so bulletin IDs are not included.
Any change on how to deploy the security updates?
This is the new way of delivering the information of vulnerabilities and security updates.
There is no change on security update packages or deployment of security updates.
Microsoft Patch Management tools (WSUS, SCCM) are continue to work.
If you have questions and feedbacks, please visit Security Update Guide Frequently Asked Questions (FAQ) and Security Update Guide – User Forum
For many years, it’s been a pain and expensive process to gather vulnerability and security update data from the bulletin website each month for many IT professionals. Now, with this new Security Update Guide, I belive it becomes a very easy and industry standard process.
Security Program Manager, Customer Services and Support